Features

The Implications of GDPR on Health Research

Published on: 30th October 2018

A brief has been produced as part of the work of The Farr Institute Information Governance Working Group offering a need-to-know guide to the European Union’s General Data Protection Regulation (GDPR) in relation to the conduct of health-related research. This document draws on a larger report that considers the issues in full.

The EU General Data Protection Regulation came into force on 25 May 2018 and is directly applicable in all the member states, regulating a broad scope and range of data processing activities. For the UK, the Data Protection Act 2018 ensures GDPR application in the post-Brexit era. The Data Protection Act 2018 and the GDPR should be read together.

The brief examines the GDPR key changes for health-related research. It also advises on the main implications of the GDPR and how the research community should address them when processing both personal data and special categories of personal data for health-related purposes. While the GDPR is the latest legislative initiative to impact on health-related research, it is important that this is also read together with other legal measures, such as the common law duty of confidentiality.

The Working Group shares the opinion that the GDPR is the outcome of reaching a fair balance between data subjects’ rights and research community’s interests, and that it provides for a stringent data protection framework. It also acknowledges that this might impair research if either undue reliance is placed on consent as the means to conduct data-driven research, or if the GDPR risk-based approach and compliance provisions are undermined. Nonetheless, The Farr Institute’s Working Group strongly believes that the GDPR should be seen as an opportunity rather than a threat to research. The GDPR represents a model of other routes to lawful research beyond consent, such as those in the public interest, and these are discussed herein.